JSTOR and the Case of the Over-Downloader

Last year, users of JSTOR, the online scholarly database, downloaded articles from the site seventy million times. Nearly five million of those downloads were made by Aaron Swartz, a twenty-four-year-old Stanford dropout and, as the Timesput it, “Internet folk hero,” who this week was charged by the federal government with violations related to computer hacking. If convicted, he could face up to thirty-five years in prison. Defenders say Swartz was arrested for the online equivalent of “checking too many books out of the library,” as phrased by the executive director of Demand Progress, a political-action non-profit founded by Swartz. U.S. Attorney Carmen M. Ortiz had a different view: “Stealing is stealing whether you use a computer command or a crowbar, and whether you take documents, data or dollars.” Swartz, for his part, pled not guilty.

Here’s what the federal indictment says Swartz did: he bought an Acer laptop, hid it in a closet at M.I.T., with which he was not affiliated—the federal indictment deems it worth noting that he was, at the time, a fellow at Harvard University’s Center for Ethics—and connected as a guest to M.I.T.’s network (which anyone within range of that network is free to do) under the user name “Gary Host,” or “ghost,” for short. Several bouts of geek espionage ensued—shifting of I.P.s, spoofing of MAC addresses—and, over the course of four months, Swartz was able to download close to two-thirds of JSTOR’s archive to the laptop’s hard drive. When Swartz finally returned to the closet to retrieve the laptop, he hid his face, as the indictment puts it, “with [a] bicycle helmet before peering through a crack in the double doors and cautiously stepping out.”

It sure sounds suspicious, but what, exactly, was Swartz’s crime? (A moment of disclosure: Swartz’s company Infogami was acquired in 2005 by Reddit, which, like The New Yorker, is under the Condé Nast umbrella.) Sneaking into a building at M.I.T. might seem like trespassing, but that’s not a federal crime. He’s charged instead with wire and computer fraud—for having knowingly accessed a computer with the intent to defraud, and gaining some value from it. (A JSTOR subscription like M.I.T.’s could go for fifty thousand dollars.) Swartz is also accused of accessing a “protected computer” (more on that in a moment) without authorization, and damaging it—his downloads overwhelmed JSTOR’s server, shutting down access at M.I.T. for a time. Critics of Swartz have compared the act to breaking and entering, while supporters note that the better analogy is to say that JSTOR gave Swartz the keys to its house, then got upset when he drank all the milk.

JSTOR, for its part, says all the milk was returned—Swartz gave back the downloaded data—and considered its dealings with Swartz complete. (Among the broader, more existential questions involved: Can one “steal” and then “return” data, given that the original data remains on JSTOR’s servers all along?) But that doesn’t appear to satisfy the government, which has been waging something of a war against “hacking,” broadly defined. The primary method of bombardment has been Title 18, Section 1030 of the U.S. Code, known as the Computer Fraud and Abuse Act. It prohibits a number of things, primarily the unauthorized use or access of government computers, computers affiliated with financial institutions, and “protected computers.” The last of these is defined as those laptops and desktops “used in or affecting interstate commerce.” (JSTOR’s computers are located outside of Massachusetts.) Like the constitutional clause of a similar nature, this particular statement has been read expansively to prosecute various Web-based misdeeds—a category of criminal activity the government has been struggling to define. Combined with Justice Potter Stewart’s pornography test, the C.F.A.A. has become a sort of Internet martial law for prosecutors: we know Internet crime when we see it, and we’ll punish it as we see fit.

A number of cases have involved the C.F.A.A., to varying degrees of applicability. The government dropped espionage charges against Thomas Drake, the N.S.A. employee whose prosecution for allegedly leaking government secrets was chronicled by Jane Mayer, but only after he pleaded guilty to one charge of computer fraud. Among the thirty-four counts currently held against Bradley Manning, the WikiLeaks leaker, nine come from Section 1030. The prosecution of Lori Drew, who had been accused of harassing, via MySpace, a teen-age girl who eventually committed suicide (Lauren Collins wrote about the case) stemmed from a charge similar to that against Swartz, that she had had violated MySpace’s terms of service. That charge was thrown out as being too broad, and fraught with too many complications, but, as Wired points out, it has been used again in a case against computer bots that may have violated Ticketmaster’s terms of service in an effort to beat actual humans to the best Bruce Springsteen and U2 tickets.

In Swartz’s case, it’s unclear exactly why he wanted JSTOR’s archives. The indictment alleges that he intended to create a sort of Napster for scholarly research. Why, some wonder, is the research on JSTOR, much of it conducted at taxpayer-funded universities or supported by government grants, not available to the public? Jill Lepore, a staff writer at The New Yorker and a professor at Harvard, co-founded a free scholarly journal in 1999 because she “felt so strongly that it was important that it be free, which seemed, then, the promise of the Internet.” As to whether all scholarly information should be free, Lepore was less sure, saying, via e-mail, “What has being free done for newspapers and magazines and books lately?” Swartz offered his take on the argument when, in 2008, he used a free trial of the government’s PACER service, which provides access, for a fee, to court records, to download an estimated twenty per cent of the database’s available material, 19,856,160 pages of text. He then posted them for public consumption, and only found out later that the F.B.I. had investigated his involvement.

By returning the downloaded data to JSTOR, Swartz seems to have admitted some level of wrongdoing, or at least a desire to avoid more serious criminal prosecution. But the question now is whether his alleged offense should be criminal at all. The Web is well into its second decade of public use, but the government is still far from a precise understanding of how to police it.